A white paper from US CEO forum The Business Roundtable gives an overview of their position on corporate governance. They recommend that every publicly owned corporation should have a committee that addresses governance issues, but then confuse the matter by discussing the nominating committee (appointing suitable Board members is only one part of corporate governance).
More governance resources

Apr 27, 2005

This slightly xenophobic article nevertheless analyzes the threat of theft of proprietary information. "Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. 'Seventy-five to 85 percent of all theft per se is done by an insider,' said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association."More confidentiality resources

Apr 25, 2005

Curious to see the extensive Microsoft Redmond campus? One of their employees, presumably, has kindly posted this detailed aerial photograph of the site (warning: it's 4Mb!). Why did he/she post it on whe web? I've no idea.
More physical security links here

Apr 24, 2005

A public Wiki has been set up for people to contribute to an FAQ on ISO17799, BS7799-2 and so on. This is a collaborative community project, a good opportunity to information security professionals with '7799 experience to share best practice with our peers. It's early days yet but that means there's plenty of scope for you to add questions and, most of all, add useful answers.
More links to information security standards, laws and regulations

The Washington Post is reporting that imposters falsely claiming to be unannounced inspectors working for a US government hospital inspection body have been detected and ejected from at least three hospitals. Their motives are unclear at present. Until two weeks ago, the inspection body used to post the names of its inspectors on its website (‘nuff said).
More social engineering and physical security links

Apr 23, 2005

Dirty disks clogged up with musty old data? Desperate to throw them away but worried about where they'llend up? You need DBAN! DBAN is a bootable system and disk eraser. Boot and nuke your old hard drives with DBAN! Kills 99.9% of data, DEAD!
More physical security resources

Apr 22, 2005

Those who openly advertise and sell controlled drugs online are not above the law. The Washington Post reports that the DEA has shut down a major online drugs operation based in Philly distributing generic drugs supplied from India. This will not be the last online drugs bust, for sure. Perhaps this will finally curtail the spammers' obnoxious activities (don't hold your breath).
More web security resources

This is a fascinating case study expounding the business value of implementing ISO17799 (BS7799). The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.More IT governance and information security management resources

Apr 21, 2005

We have published a review of the IT Governance book by Weill and Ross to tie-in with this month's NoticeBored Classic security awareness module, funnily enough on IT governance. Find out what makes it worthwhile reading to the last chapter.More IT governance resources

Apr 16, 2005

Two weeks before British vehicle manufacturer MG Rover finally went into administration, tough questions were being asked of its Chairman and directors regarding some 'unusual' business transactions. Corporate governance is the core issue. We will probably never know the full picture. Meanwhile, thousands of workers are unemployed despite millions of pounds of public money being spent in attempts to shore-up the failing firm.IT governance resources

"Draining" is the 'sport' of infiltrating places by means of underground sewers, cable ducts etc. Caving skills, a cyclops hat and a strong stomach are advisable. The implications for critical infrastructure facilities are glaringly obvious.
Other physical security resources here

Apr 14, 2005

FTSE, a private company providing financial information on thousands of companies worldwide, has started providing corporate governance ratings in conjunction with ISS. The ratings are apparently derived from "up to 61 corporate governance variables". We have no opinion on the veracity of their Corporate Governance Quotients and, as always, advise investors to take advice from professional advisors, not us. [Note: access to the FTSE site requires free registration].
More IT governance resources

US-CERT's latest cyber security tip discusses privacy concerns as we browse the Web. Most browsers disclose information about their systems simply by visiting websites. The tip concludes with three straightforward actions to limit our exposure. It is well worthwhile signing-up for the cyber security tips and related materials from CERT whether you are simply a computer user or run a security awareness program. Author Mindi McDowell and colleagues are doing a great job.More confidentiality and privacy resources

The latest CSO Mag has a thoughtful article about a 3,000 year old Irish cliff-top fort, drawing various analogies between securing a fort vs. securing a network. Unfortunately, interesting though the analogy might be, a 3,000 year old fort offers minimal protection against modern weapons of war. Increasingly sophisticated adversaries using powerful new technologies remain a serious threat in any age. Oh and don't forget the Peasants' Revolt when the Tower Of London was breached by dint of bribing the gatekeeper. Social engineering has a long history too.

Apr 13, 2005

Yesterday was 'patch Tuesday' meaning that millions of PCs running Windows Update are slavishly downloading the latest patches from Microsoft. The explanation of "cumulative security update for Internet Explorer", just one of this month's patches, indicates that unpatched PCs accessing 'malicious Web pages' could be completely compromised by bugs in IE's handling of DHTML and URLs, potentially giving an attacker 'complete control of an affected system' through 'remote code execution'. In case you missed it, this important snippet of information is buried under the (normally unexpanded) vulnerability details section of the detailed bulletin accessible from the information page about the fix included in the latest set of patches ... how many of us bother to follow the trail through three web pages? What's more, today's Handler's Diary at SANS Internet Storm Center (which we blogged yesterday) reports that "A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.", a point which Microsoft neglected to mention explicitly. (FrSIRT notice here)Watch out for a forthcoming NoticeBored security awareness module on 'security in information systems development' which will mention the patching treadmill as a contingency measure following the release of buggy software.More Internet security resources

An article in USA Today lists quite a few security-related US laws that are in progress or planned. Multiply this list by N to cover similar initiatives in the rest of the world and the scale of the legal compliance issue starts to become clear.More IT governance and IT law resources

Apr 12, 2005

The SANS Internet Storm Center's Handler's Diary provides a wonderful source of up-to-date information on current Internet security threats. Today, for example, it is reminding people that Microsoft will be auto-updating Windows XP machines to Service Pack 2 tomorrow, even if users have previously opted-out of the patch. It also includes a list of ports and IP addresses that might indicate your system is being used as a spambot. The diary is aimed at information security managers, information technologists and power users. If you are in these select groups, consider setting your browser's home page to the latest Handler's Diary page to keep up with current events.Other information security management resources here

Russian extortionists who used DDoS attacks to extort money from UK betting firms have been arrested. Complaints to the National High-Tech Crime Unit of attacks have evidently fallen since the arrest of a Russian gang believed to be behind the protection racket which forced Web-gambling firms to pay up or face extended service outages. [Whilst that may be true, DDoS attacks definitely remain a serious threat to any web-based business, us included.]
More availability resources

Apr 10, 2005

ReportLine, ComplianceLine, SilentWhistle and Shareholder.com are examples of commercial services handling calls from customers’ employees who wish to blow the whistle on dishonest/unethical behavior, fraud, health and safety breaches, HIPAA/data protection breaches and related matters. The Government Accountability Project and BlowTheWhistle support those blowing the whistle on wrongdoing affecting public bodies. Sarbanes-Oxley is yet another reason why organizations should take their responsibilities towards such whistleblowers very seriously indeed. Outsourcing this particular kind of service has a number of advantages. For instance, the call handling agency is independent of the organization and thus may be considered more trustworthy than insiders. Secondly, it builds a competence in assessing, prioritizing and dealing professionally with reported issues beyond the level achievable by an internal function. [We recently proposed the formation of an international not-for-profit organization to handle information security vulnerability reports in the same kind of way ...]More IT governance resources here

Apr 9, 2005

Barcelona is home to a hacking school, more precisely a course teaching students about information security risks and control techniques. The course is backed by ISECOM, the Institute for Security and Open Methodologies, which describes itself as an 'open-source collaborative community ... dedicated to providing practical security awareness, research, certification and business integrity'.

The gist of this news article is that a fraud involving the theft of customer details by call-center operators in an Indian company may discredit the whole Indian off-shore/outsourcing market. Sorry, I don't buy that argument. The truth is that IT fraud is a risk in ALL countries. I see no reason to believe that India is inherently more risky than anywhere else - in fact, the increasing level of interest in our security awareness products from Indian IT companies suggests quite the opposite to me. At the risk of over-generalizing, India seems very well aware of the importance of information security. More IT fraud links and IT governance links

Apr 8, 2005

Watchfire supplies an application security test suite. Whereas we normally emphasize the importance of human factors in information security, application testing is one area where technical security measures are relatively underdeveloped. Manual testing is tedious, slow and error prone, but still necessary. Automated testing reduces the tedium and increases the coverage. The combination of a good test suite in the hands of experienced security testers is unbeatable.
More Internet security links

Apr 6, 2005

Australian standard AS 8015-2005 provides guiding principles for Directors on "the effective, efficient, and acceptable use of ICT". This is believed to be the first official standard in the world dedicated specifically to IT governance.
More IT governance links.

Apr 3, 2005

This is part of a factsheet from the UK Institute of Directors advising non-executive directors on (a) how to go about asking questions to the Board or other managers about IT strategy and security; and (b) the types of question worth asking. [I particularly liked "Has your business assessed the risk of getting a reputation for slackness in security?"!]More IT governance resources

Find out (roughly) how vulnerable you are to identity theft by completing this automated survey. Practical advice on how to reduce your risk is given at the end. [This might be a useful security awareness site for your intranet, and for your friends and relatives].More IT fraud resources

This site is a real eye-opener. It is a bulletin board system where people supposedly post information about bad experiences with various get-rich-quick schemes. Purveyors of said schemes then respond by justifying their activities ... and so the cycle continues. The net result (pun intended) is that the schemes get even more promotion and naive site visitors get inundated with conflicting information. The eye-opener bit is the sheer scale of ignorance and greed on both sides of the argument. Why is it that so many people believe they can make a fortune (well a few hundred bucks maybe) by 'recruiting others to join the program' or 'completing surveys' or whatever? Why do the scammers resort to personal insults against any of their 'customers' who have the temerity to complain about non-receipt of checks etc.? Maybe these people are just made for each other.

Defining and promoting your information security policies is an essential requirement for Sarbanes-Oxley compliance. SOX auditors will most likely review your policies as one of the first steps: are you ready for them?
More IT governance links here

Apr 1, 2005

We have just released the latest NoticeBored Classic module, this month a bumper package with nearly 12Mb of security awareness materials on IT governance. The pack introduces a new deliverable developed in response to customer inquiries about security metrics: a simple security awareness survey form. The survey format is likely to evolve in future months and, in parallel, we are working on a new white paper on security metrics. Watch this space.By the way, an exciting new version of NoticeBored Plus has also been released. Please contact us for further information.New IT governance links page here

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.